Add support for multiple MFA TOTP devices in OneLogin

[michiel-de-muynck]

In OneLogin, it is possible to set up multiple MFA TOTP devices, and to designate one as the primary. However, when I did this, there was no way to make saml2aws use the new MFA device:

• If multiple TOTP devices are available, the CLI does not prompt for which one to use
• There are no CLI flags for specifying which TOTP device to use for OneLogin
  • --mfa can be set to "TOTP". All my attempts to set a specific TOTP device resulted in the error "Invalid MFA type"
  • --disable-remember-device is only for Okta, not for OneLogin
• Setting a specific MFA device in OneLogin as "primary" has no effect on saml2aws: all attempts to log in were using the same (oldest, non-primary) device and gave the error "Error authenticating to IdP.: error verifying MFA: HTTP 401: Failed authentication with this factor"

The only solution to me was deleting my old MFA TOTP device in OneLogin, so that there was only one MFA device there. After doing that, I could log in without issue.

[mateuszdrab]

I have a similar issue with KeyCloak.
Looking at source code, it seems like multiple MFA authenticators are supported; however, there's no CLI flag to specify which one is to be used.
Naturally, my second OTP authenticator does not work, only the first one does.
Tried specifying the name of my authenticator in the --mfa flag to no avail.